Nexus 7k and Cisco ACS 5.4 RBAC

Tuyen Nguyen · ‎04-03-2014

Greetings

I am trying to provide limited access on Nexus 7k using ACS 5.4 via TACACS. I used the following in my shell profile

ATTRIBUTE: cisco-av-pair

REQUIREMENT: mandatory (even tried optional)

VALUE: shell:roles="network-operator"

Everything seems to work, but I cannot ping/traceroute and receive this error, from the Nexus 7k.

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

edwjames · ‎04-04-2014

Hey,

Could you share the AAA configuration on the Nexus?

Regards

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Tuyen Nguyen · ‎04-06-2014

Sure

aaa authentication login default group CORP_ACS
aaa authentication login console local
aaa authorization commands default group CORP_ACS local
aaa accounting default group CORP_ACS
aaa authentication login error-enable

aaa group server tacacs+ CORP_ACS
    server x.x.x.x
    server x.x.x.x
    use-vrf management

edwjames · ‎04-07-2014

Hi Tony,

You should not have command authorization when you use RBAC.

Kindly remove: aaa authorization commands default group CORP_ACS local

and check again.

Regards

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Naveen Kumar · ‎04-06-2014

ref:

http://www.hellanetwork.com/2013/06/nx-os-security.html